Table 2.1: TCP/IP and OSI model comparison TCP/IP Model OSI Model Common Protocol Internet Layer Network Layer IPv4, IPv6, ICMP, ARP, IPSec Network Access Layer Data Link Layer Ethernet,
Trang 1VIET NAM NATIONAL UNIVERSITY - HO CHI MINH CITY
HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY
BIET NGUYEN HOANG
MULTI-CORE ARCHITECTURE FOR DoS/DDoS
COUNTERMEASURE BASED ON RECONFIGURABLE HARDWARE
MAJOR: COMPUTER SCIENCE MAJOR ID: 60.48.01
MASTER THESIS
HO CHI MINH CITY - August 18th, 2016
Trang 2VIET NAM NATIONAL UNIVERSITY - HO CHI MINH CITY
HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY
BIET NGUYEN HOANG
MULTI-CORE ARCHITECTURE FOR DoS/DDoS
COUNTERMEASURE BASED ON RECONFIGURABLE HARDWARE
MAJOR: COMPUTER SCIENCEMAJOR ID: 60.48.01
MASTER THESIS
SCIENTIFIC ADVISOR
Assoc Prof., Dr THINH TRAN NGOC
Dr CUONG PHAM QUOC
HO CHI MINH CITY - August 18th, 2016
Trang 3THE THESIS IS COMPLETED AT
HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY - VNU HCM
Signature
Scientific advisor: Assoc Prof., Dr Thinh Tran Ngoc
Dr Cuong Pham Quoc
The first reviewer: Assoc Prof., Dr Vu Dinh Duc Anh
The second reviewer: Dr Son Nguyen Minh
The master thesis is defended at Ho Chi Minh City University of Technology (HCMUT), Viet Nam National University Ho Chi Minh City (VNU HCM) on July 18th, 2016 The scientific council has been formed with members below: 1 Assoc Prof., Dr Nam Thoai 2 Dr Anh Pham Hoang 3 Assoc Prof., Dr Vu Dinh Duc Anh 4 Dr Son Nguyen Minh 5 Assoc Prof., Dr Trang Hoang The master thesis has been approved by the chair of the scientific council and the dean of the Faculty of Computer Science and Engineering after corrected (if any) CHAIR DEAN Scientific Council Faculty of Computer Science and Engineering
Trang 4VIET NAM NATIONAL UNIVERSITY - HCM SOCIALIST REPUBLIC OF VIET NAM
—————-THE MASTER —————-THESIS RESPONSIBILITY
Student: Biet Nguyen Hoang Student ID: 7140220
Day of Birth: Dec 17, 1986 Place of Birth: Bac Lieu Province
Major: Computer Science Major ID: 60.48.01
I THESIS NAME:
Multi-core Architecture For Denial of Service (DoS)/Distributed Denial of Service (DDoS)Countermeasure Based on Reconfigurable Hardware
II RESPONSIBILITY AND CONTENT:
The thesis responsibility is to research DoS/DDoS for a novel high-speed architecture forcountering DoS/DDoS attacks The thesis proposes a multi-core architecture which can
be upgraded to adapt and react recent DDoS attack mechanisms and the future variant ofDDoS attacks
III THESIS IS DELIVERED ON: August 17th, 2015
IV THESIS IS COMPLETED ON: June 17th, 2016
V SCIENTIFIC ADVISOR:
Assoc Prof., Dr Thinh Tran Ngoc
Dr Cuong Pham Quoc
Ho Chi Minh City, August 18th, 2016
(Name and signature) Faculty of Computer Science and Engineering
(Name and signature)
Trang 5
In this work, I have got help and contribution from my advisors, other researchers, friendsand family members Beside my hard work, they give me advice and show me the pos-sibilities that I can achieve I would like to dedicate this thesis as a thankfulness to theirhelp
I am grateful to my advisors, Associate Professor Thinh Tran Ngoc and Doctor CuongPham Quoc, for their help, guidance and advice They encourage me to go further in thisresearch They also bring me resources and preparation which help me in implementation
I would like to thank Chau Tran Thi, Quoc Nguyen Bao, Chien Do Minh and Bao HoQuang Chi They are my friends but sometimes they become my mentors who give meadvice and contribute so much effort to help me to implement the prototype system
I also want to thank Binh Tran Thanh and Tien Nguyen Viet, who are managing theComputer Engineering Laboratory They not only support me to prepare resources in thelaboratory but also provide me advice and contribution to my research
Last but not least, I would like to thank my family members who encourage me in thisresearch They also help me a lot of work so that I can have more time focusing on thethesis
I also appreciate other professors, friends and colleagues While conducting research,
I have chance to meet and discuss with them about the research They give me many ideasfor this work
Ho Chi Minh City, August 18th, 2016
Biet Nguyen Hoang
Trang 6The twenty-first century is the age of technology explosion The boom of the Internetand Information Technology not only brings benefits to the community but also bringsthreats along with it Distributed denial of service is one of security threats that targetscompanies, organisations and even government of nations It prevents legitimate usersfrom accessing network services and brings the network services down Attackers exploitnetwork and application vulnerabilities to perform distributed denial of service attacks.The fast growing of the Internet users and inter-connected devices may be a good chancefor attackers to exploit vulnerabilities to perform attacks
The research in this thesis has been conducted to find a solution for mitigating tributed denial of service attacks The multicore architecture based on reconfigurablehardware has been proposed as the result of the research The architecture enables mul-tiple mechanisms to cooperate inside the system to detect and mitigate different kinds ofattacks It even allows a working core being reconfigured while keeping the others operat-ing The proposed architecture consists of two separate partitions static and dynamic Thestatic partition includes packet pre-processing and post-processing while filtering mech-anisms are implemented within the dynamic partition These filtering techniques can beimplemented by either custom hardware computing cores or general purpose soft proces-sors or both In all cases, these filtering computing cores can be updated or changed atruntime or design time
dis-A prototype system has been implemented based on the proposed architecture It isbuilt with two cores to accommodate two well-known distributed denial of service defencemechanisms An experiment which is used to evaluate the prototype system shows thatthe proposed architecture works as designed The experimental results show that theprototype system achieves 100% detection rate with a 0% false negative rate and a 0.17%false positive rate Moreover, the prototype system has obtained the packet processingthroughput at line rate of 10Gbps network and upto 26.248Gbps
Trang 7và làm cho các dịch vụ mạng ngưng hoạt động Kẽ tấn công khai thác lỗ hỗng ở mức hạtầng mạng và ứng dụng để thực hiện tấn công từ chối dịch vụ Sự phát triển nhanh chóng
số lượng người dùng Internet và các thiết bị kết nối mạng có thể trở thành cơ hội lớn cho
kẽ tấn công khai thác và thực hiện các cuộc tấn công
Trong luận văn này, một nghiên cứu được tiến hành để tìm ra giải pháp nhằm giảmthiểu và ngăn chặn các cuộc tấn công từ chối dịch vụ Một kiến trúc đa nhân dựa trên nềntảng phần cứng tái cấu hình đã ra đời được coi như là kết quả của sự nỗ lực trong nghiêncứu Kiến trúc này cho phép nhiều cơ chế chống tấn công kết hợp với nhau trong cùngmột hệ thống để phát hiện và ngăn chặn nhiều loại tấn công khác nhau Kiến trúc này còncho phép một nhân bộ lọc đang hoạt động có thể được tái cấu hình mà không ảnh hưởngđến sự hoạt động của các nhân bộ lọc khác Kiến trúc hệ thống đề xuất bao gồm hai vùngriêng biệt là vùng tĩnh và vùng động Vùng tĩnh bao gồm cơ chế tiền xử lý gói tin và hậu
xử lý gói tin, trong khi các nhân bộ lọc được hiện thực bên trong vùng động Những kỹthuật chống tấn công có thể được hiện thực như là một nhân xử lý mức phần cứng, hoặccũng có thể là một bộ xử lý đa nhiệm, hoặc là cả hai hình thức trên Trong mọi trườnghợp, những bộ lọc chống tấn công này có thể được cập nhật hoặc thay đổi trong lúc đang
xử lý hoặc trong giai đoạn thiết kế
Một mẫu thử nghiệm của kiến trúc đề xuất đã được hiện thực Mẫu thử nghiệm nàyđược xây dựng với hai nhân hiện thực hai kỹ thuật chống tấn công từ chối dịch vụ cơ bản
và phổ biến Một bài thực nghiệm được tiến hành để đánh giá mẫu thử nghiệm cho thấykiến trúc đề xuất hoạt động như mong đợi theo thiết kế Kết quả thử nghiệm kiểm tra chothấy rằng mẫu thử nghiệm phát hiện và lọc 100% các gói tin tấn công từ chối dịch, trong
đó kết quả nhận diện sai các gói tin tấn công là 0%, nhận diện sai các gói tin bình thường
là 0.17% Hơn nữa, mẫu thử nghiệm cũng đã đạt được tốc độ xử lý gói tin 10Gbps trênmạng tốc độ cao và tốc độ tối đa đạt được là 26.248Gbps
Trang 8Statement of Originality
I hereby declare that the research recorded in this thesis and the thesis itself was composedand originated entirely by myself at the Faculty of Computer Science and Engineering(CSE), Ho Chi Minh City University of Technology (HCMUT), Viet Nam National Uni-versity - Ho Chi Minh City (VNU HCM)
Parts of this work have previously been published in scientific papers below:
• A Novel High-Speed Architecture for Integrating Multiple DDoS CountermeasureMechanisms using Reconfigurable Hardware, in Jurnal Teknologi (SCOPUS E-ISSN:21803722)
• FPGA-based Multiple DDoS Countermeasure Mechanisms System using Partial namic Reconfiguration, in REV Journal on Electronics and Communications Vol 5,
Dy-No 3-4, JUL-DEC 2015
• FPGA-based Multicore Architecture for Integrating Multiple DDoS Defense anisms, in International Symposium on Highly-Efficient Accelerators and Reconfig-urable Technologies (HEART2016), July 25th-27th, 2016
Mech-Biet Nguyen Hoang
Trang 91.1 Motivation 1
1.2 Thesis Objective 3
1.3 Thesis Structure 4
1.4 Summary 4
2 Background and Related Work 5 2.1 Background 5
2.1.1 Transmission Control Protocol/Internet Protocol Network Model 5
2.1.2 Open System Interconnect Network Model 6
2.2 Related Work 7
2.2.1 DoS/DDoS Attacks Classification 7
2.2.2 Dos/DDoS Defence Mechanisms & Classification 11
2.3 Field Programmable Gate Array 14
2.4 The NetFPGA Platform 15
2.5 Summary 16
3 Proposed System Architecture 17 3.1 Static Partition 17
3.1.1 Input Arbiter 18
3.1.2 Output Arbiter 18
3.1.3 Packet Decoder 18
3.1.4 Packet FIFO 18
Trang 103.1.5 Packet Processing 19
3.1.6 Dispatch Interface 20
3.1.7 Updating Controller 20
3.2 Dynamic Partition 20
3.2.1 Defence Core 20
3.2.2 Defence Decision 21
3.3 Summary 21
4 System Implementation 22 4.1 Static Partition 23
4.1.1 Input Arbiter 23
4.1.2 Output Arbiter 23
4.1.3 Packet Decoder modules 23
4.1.4 Packet Processing modules 24
4.1.5 Packet FIFO 24
4.1.6 Dispatch Interface 24
4.1.7 Updating Controller 25
4.2 Dynamic Partition 26
4.2.1 Hop-Count Filtering 26
4.2.2 Port Ingress/Egress Filtering 27
4.3 Summary 30
5 Experiments 31 5.1 Experimental Setup 31
5.2 Experimental Results 32
5.3 Summary 35
6 Conclusion 36 6.1 Achievement 36
6.2 Limitations 38
6.3 Future Work 38
6.4 Applications of The Proposed Architecture 39
References 40 A Waveform 42 B List of Publications 43 B.1 A Novel High-Speed Architecture For Integrating Multiple DDoS Counter-measure Mechanisms Using Reconfigurable Hardware 43
B.2 FPGA-based Multiple DDoS Countermeasure Mechanisms System Using Partial Dynamic Reconfiguration 50
Trang 11B.3 FPGA-based Multicore Architecture for Integrating Multiple DDoS fense Mechanisms 61
Trang 12List of Acronyms
AITF Active Internet Traffic Filtering
ARP Address Resolution Protocol
ARPA The Advanced Research Project Agency.ARPANET The Advanced Research Project Agency
Network
ASIC Application-Specific Integrated Circuit.ATM Asynchronous Transfer Mode
AXI Advanced eXtensible Interface
CAM Content Addressable Memory
CAPTCHA Completely Automated Public Turing test
to tell Computers and Humans Apart.CLB Configurable Logic Block
CPU Central Processing Unit
DAAD DNS Amplification Attacks Detector.DARPA The Defense Advanced Research Project
Agency
DDoS Distributed Denial of Service
DMA Direct Memory Access
DoS Denied of Service
DPHCF-RTT Distributed Probabilistic HCF - Round Trip
Time
DPR Dynamic Partial Reconfiguration
DRDoS Distributed Reflection Denial of Service
Trang 13DSL Digital Subscriber Line.
DSP Digital Signal Processor
FDDI Fiber Distribution Data Interface.FIFO First In First Out
FPGA Field Programmable Gate Array.FTP File Transfer Protocol
Gbps Gigabit per second (Gb/s)
GPP General Purpose Processor
HCF Hop Count Filtering
HDL Hardware Description Language.HTTP Hyper Text Transfer Protocol
I/O Input/Output
IC3 The Internet Crime Complaint Center.ICAP Internal Configuration Access Port.ICMP Internet Control Message Protocol.IMAP Internet Message Access Protocol.IoT Internet of Thing
IP Internet Protocol
IP2HC IP to Hop Count
IPSec Internet Protocol Security
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
ISDN Integrated Service Digital Network.ISP Internet Service Provider
Trang 14MHz Megahertz.
MIB Management Information Base
MTU Maximum Transmission Unit
NetBIOS Network Basic Input/Output System.NFS Network File System
NIC Network Interface Controller
NTP Network Time Protocol
OS Operating System
OSI Open System Interconnect
OSNT Open Source Network Tester
PCI Peripheral Component Interface
PIEF Port Ingress/Egress Filtering
PoD Ping of Death
POP3 Post Office Protocol version 3
PR Partial Reconfiguration
RPC Remote Procedure Call
SCP Session Control Protocol
SCTP Stream Control Transmission Protocol.SFP+ Small Form-factor Pluggable Interface +.SMTP Simple Mail Transfer Protocol
SSL Secure Socket Layer
SYN Synchronous flag
TCP Transmission Control Protocol
TLS Transport Layer Security
TTL Time To Live
Tx Transmitter
Trang 15U.S The United State of America.UDP User Datagram Protocol.
VHDL VHSIC HDL
VHSIC Very High-Speed Integrated Circuit
WWW World Wide Web
Trang 16List of Figures
1.1 Peak DDoS attacks month-by-month 2
1.2 Spoofable IP address space - Spoofer Project 3
2.1 Teardrop attack 9
2.2 SYN Flood attack 9
2.3 Smurf attack 10
2.4 StopIt mechanism 13
2.5 FPGA device components 15
3.1 The proposed FPGA-based multicore architecture 17
3.2 The first approach for processing packet 19
4.1 The NetFPGA 10G platform 22
4.2 The FPGA-based multicore DDoS propection system based on the pro-posed architecture 23
4.3 The Packet Decoder module 24
4.4 The Dispatch Interface - ICAP 25
4.5 The Dynamic Partial Reconfiguration module 26
4.6 The algorithm of HCF 27
4.7 The Hope-Count Filtering module 27
4.8 The Port Ingress/Egress Filtering module 28
4.9 The prototype system - FPGA device view 30
5.1 The system validation setup 31
5.2 The throughput testing model setup 32
5.3 The throughput evaluation 33
5.4 The packet classification statistic ratio 34
A.1 Waveform of the prototype system 42
Trang 17List of Tables
2.1 TCP/IP and OSI model comparison 7
2.2 The NetFPGA 10G specification 16
4.1 Global and specialized address blocks 28
4.2 The device utilization summary of the system 29
5.1 The packet classification statistic 33
5.2 The system comparison 33
5.3 The partial reconfiguration experiment 34
Trang 18The twenty-first century is an age of technology explosion Information Technology (IT)
is among the quickly innovated fields Internet, World Wide Web (WWW), Cloud, BigData and Internet of Thing (IoT) are several achievements of IT The Internet is an impor-tant component It helps to connect people over the world as a non-geographical distanceworld For this advantage, Internet users are increasing over time With the increase
in the number of mobile devices, the Internet connecting devices is increasing quicker.There are more than 3.3 billion of Internet users as statistics from Internetlivestats.com[1] The increase of the connected devices will be a good chance for attackers to replicatemalicious software, exploit user information and occupy devices for security attackingpurpose The attacker may occupy devices for denial of service (DoS) or distributed DoS(DDoS) attacks on the Internet
DoS attacks are the network attack methods that prevent legitimate users from ing network resource or services Attackers perform DoS attacks by consuming networkresource or server resource or both of them DoS attack not only exhausts network re-source (e.g network bandwidth, router processing capability) and/or server resource (e.g.sockets, CPU, memory, disk/database bandwidth and input/output (I/O) bandwidth) butalso exploits vulnerabilities of protocol or application DoS attack is performed from onesource, while in reality, the attacker often performs DDoS attack from multiple sourcesthrough a botnet A botnet is a group of computers/devices which are occupied and con-trolled by the attacker through malware The increase of the inter-connected devices maylead to the rise of DDoS attacks
access-Zargar et al survey [2] states that DDoS first appears in the 1980s Since 1999,
Trang 19of 2013, The Internet Crime Complaint Center (IC3) [3] has reported that Internet crimehad led to the loss of 781,841,611 U.S dollar (including DoS attacks), which is 48.8%higher than 581,441,110 U.S dollar in 2012.
DDoS not only causes financial loss but also wastes system resource and power work devices and servers will consume more power while being exhausted in DDoS at-tacks In the Akamai’s state of the internet security report (Q1 2015) [4] shows that theaverage consumed bandwidth of DDoS attacks is 5.95 Gbps The report also shows thatthere are 8 DDoS attacks which consumed bandwidth more than 100 Gbps As of 2014,the Arbor Network’s report [5] has recorded the largest DDoS attack which consumedbandwidth up to 325.05 Gbps (Figure 1.1) It means that DDoS attacks are increasing inboth quantity and scale That would be a challenge to the Internet security
Net-Figure 1.1: Peak DDoS attacks month-by-month
The attacker always wants to hide their identification while performing attacks Hiddenidentification not only helps attacker not to be tracked but also let the attack be difficult
to mitigate The attacker uses a technique called internet protocol (IP) spoofing to hidethe source of the attack The IP spoofing technique let the attacker change the source
IP address of a packet difference from its original address Therefore, IP spoofing rectly hides the attacker’s original address and identification The IP spoofing technique
indi-is used in most of the DDoS attacks, especially in reflection-based and based attacks which are highly consumed bandwidth and hard to mitigate attacks Therouter, which is implemented the network routing protocol, only checks the destination IP
Trang 20amplification-CHAPTER 1 INTRODUCTION
address of a packet while source IP address is intact It is a vulnerability that makes IPspoofing increasing The "Spoofer Project" [6] shows that 13.5% of IP address space can
be spoofable (Figure 1.2) This percentage has been the highest value since 2006, and it
is in an uptrend The largest attack in 2014, which consumed of 325.05 Gbps bandwidth,
is a combination of reflection and amplification technique
Figure 1.2: Spoofable IP address space - Spoofer Project
Therefore, quick identification and mitigation of DDoS attacks will prevent financialloss and save system resource In this thesis, the research focuses on mitigating DDoSattacks that apply IP spoofing technique The research shows how IP spoofing worksthrough some specific case studies A novel architecture is proposed to identify andcounter IP spoofing DDoS attacks
1.2 Thesis Objective
The research is to find a solution that quickly detect and mitigate DDoS attacks in currenthigh-speed network systems It can flexibly react to a different kind of DDoS attack in thefuture by applying new DDoS countering mechanism To meet those demands, the systemhas to have high-performance, support cooperation of multiple mechanisms and can bechanged or updated filtering mechanism The proposed architecture should overcome theweakness of current mechanisms and meet those requirements to handle future variant ofDDoS attacks The reconfigurable hardware such as the field programmable gate array(FPGA) platform is a suitable choice for the development of the system The system needs
to have features below:
• It can cooperate multiple DDoS countering mechanisms
• DDoS countering mechanism can be changed or updated to adapt and mitigate thenew variant of DDoS attack
• Its operating performance is at least 10Gbps to work with high-speed network tems
Trang 21at-• Chapter 2 presents the background of networking models and several commonlyused protocol It shows relevant research of DoS/DDoS, including DDoS classifi-cation and mechanisms in attack and defence It also presents the FPGA and somedevelopment platforms supported by manufacturers.
• Chapter 3 presents the proposed multicore architecture and the architecture nents This chapter explains the architecture components communication and showshow it work in theory
compo-• Chapter 4 covers a topic of implementing a prototype system based on the proposedarchitecture This chapter shows how the prototype system is implemented and thearchitecture based on NetFPGA 10G platform
• Chapter 5 shows the experiments of the prototype system This chapter presentsthe setup environment and the experimental results The experiments are conductedseveral times to make sure the prototype system works stably and the results areconsistent
• Chapter 6 concludes the final words for the research This chapter states the ments of the thesis and the limitation of the work It also presents the consideration
achieve-to optimize the proachieve-totype in future work
• Appendix includes the publications have been accepted and/or published while ducting the research
con-1.4 Summary
This chapter has just presented the challenges of the Internet security and the motivationfor conducting the research It also shows the objective of the thesis In next chapter,network technology and related work which are relevant to DDoS attacks are discussed indetail
Trang 22Chapter 2
Background and Related Work
This chapter presents the background and history of the network system Several popularprotocols are discussed and how it is exploited to perform an attack This chapter alsoshows the classification of DDoS attack and defence with some case studies
2.1 Background
Before going further into network security and DDoS attack, this section present basicknowledge about network and its communication protocol This section presents thetransmission control protocol/internet protocol (TCP/IP) and the open system intercon-nect (OSI) model and the difference between them
2.1.1 Transmission Control Protocol/Internet Protocol Network Model
In 1969, Advanced Research Projects Agency Network (ARPANET) [7] was foundedand funded by Advanced Research Projects Agency (ARPA) which then renamed itself
to Defense Advanced Research Projects Agency (DARPA) The ARPANET was an earlypacket-switching network It is the first network to implement the Internet protocol suite.The TCP/IP model is a networking model for network communication systems The IP[8] is a principle communication protocol of the Internet protocol suite for use in inter-connected systems of packet-switched communication networks The IP is responsiblefor delivering packets from source host to destination host on interconnected networks.Because the IP protocol is not reliable, the Transmission Control Protocol (TCP) is de-veloped upon IP to provide reliability Then, the TCP/IP becomes the core of ARPANETand the Internet later
The TCP/IP model has four layers Those layers are Network access layer, Internetlayer, Transport layer and Application layer
• Network Access layer is responsible for connecting a host to the local network It
Trang 23CHAPTER 2 BACKGROUND AND RELATED WORK
includes the protocols used to describe the local network topology, such as net, token ring, frame relay, ATM., and the interfaces needed to transmit internetlayer datagrams to neighbour hosts This layer delivers data presented in bits to thenetwork medium such as wireless, coaxial cable, optical fiber
Ether-• Internet layer establishes a host-to-host connection It uses IP address to identifyhost and routes the packets to the destination based on the IP address The internetlayer packages data into IP datagrams, which contain source and destination addressinformation that is used to forward the datagrams between hosts and across networks.The IP is implemented in this layer
• Transport layer provides communication session management between hosts puters This layer defines the level of services and status of the connection usedwhen transport data The TCP is implemented in this layer to provide reliability Thecombination of TCP and IP is the core for a reliable network such as ARPANET
com-• Application layer defines application protocol and how host programs interface withtransport layer services to communicate on the network Several well-known proto-cols operated in this layer are Telnet, File Transfer Protocol (FTP), Domain NameSystem (DNS), Simple Mail Transfer Protocol (SMTP), Hyper Text Transfer Proto-col (HTTP)
2.1.2 Open System Interconnect Network Model
Before developing the OSI, there are several networking protocols existed, includinggovernment-sponsored and vendor-developed and proprietary standards The OSI is de-veloped to standardise those existing protocols and aim to inter-operate them together.While OSI is developing, the TCP/IP model is widely accepted and becomes an indus-trial standard for network communication The OSI then becomes a reference model forteaching
The OSI reference model has seven layers [9]: Physical, Data Link, Network, port, Session, Presentation and Application layer
Trans-• Physical layer, which is the lowest layer of OSI model, is responsible for transmittingand receiving unstructured raw bit streams from a physical medium such as wireless,fiber optic, copper cable It defines electrical/optical signal to present digital signalpattern (1s and 0s) used by computer systems
• Data Link layer provides error-free transfers of data frames from one host to anotherover the physical layer This layer establishes and terminates the logical link betweentwo nodes, controls frame traffic and error checking, provide media access manage-ment to determine when the node has access right to use the physical medium
Trang 24CHAPTER 2 BACKGROUND AND RELATED WORK
• Network layer provides host-to-host connection establishment, routes frames amongnetworks, translates logical IP address into a physical address of data link layer, pro-vides frame fragmentation and reassembly based on router’s maximum transmissionunit (MTU) size
• Transport layer ensures that messages are delivered in sequence, error-free, and with
no loss or duplications It relieves the higher layer protocol from any concern withthe transfer of data between them and their pairs
• Session layer allows session establishment between processes running on differentstations It manages and supports sessions communication over the network It alsoperforms security on sessions
• Presentation layer format the data to be presented to the application layer This layersupports format translation, character code translation, data conversion and com-pression/encryption from a format that used by the application layer into a commonformat at the sending station, and vice versa
• Application layer serves as a window for users and application process to accessnetwork services
The Table 2.1 shows the difference between TCP/IP model and OSI model
Table 2.1: TCP/IP and OSI model comparison
TCP/IP Model OSI Model Common Protocol
Internet Layer Network Layer IPv4, IPv6, ICMP, ARP, IPSec
Network Access Layer Data Link Layer Ethernet, ATM, FDDI, Frame Relay
Physical Layer 802.11 (Wireless), Bluetooth, DSL, ISDN
2.2 Related Work
2.2.1 DoS/DDoS Attacks Classification
DoS/DDoS attack aims to prevent legitimate users from accessing network resource andservice It has been classified into network-level based and application-level based attacks
Trang 25CHAPTER 2 BACKGROUND AND RELATED WORK
[2] The network-level based DDoS attack occurs from data link layer to transport layer
of the OSI network model while application-level based DDoS attack exploits ities of upper network layers The network-level based DDoS attacks consume networkresource while application-level based DDoS attacks consume server resource
vulnerabil-Network-level based attacks
Network-level based DDoS attack often exhausts network resource It has also been fied into four subclasses which are flooding attack, protocol exploitation flooding attack,reflection-based flooding attack and amplification-based flooding attack
classi-• Flooding attacks: this kind of attack focuses on disrupting legitimate user’s
connec-tivity by exhausting victim network resource such as Internet Control Message tocol (ICMP) flood, Domain Name System (DNS) flood, User Datagram Protocol(UDP) flood ICMP [10] is a network protocol used to check network connectivity
Pro-It must be implemented in every IP network module to provide feedback of networkconnectivity Its instance is a ping command in every Operating System (OS) When
an abnormally large number of ICMP messages come to host, it can be overwhelmed
by the requests; it is called ICMP flood or ping flood UDP and DNS flooding attackoperate the same way as ICMP flooding attack but on the different protocol
• Protocol exploitation flooding attacks: The attacker exploits specific protocol
fea-tures or bugs in implementation to send malformed packets to confuse victim’s tem The attacker often performs TCP SYN and TCP SYN/ACK flood in this kind
sys-of attack Following are some examples sys-of this kind sys-of attack
– Ping of death (PoD): The attacker exploits the IP specification [8], which only
supports the largest packet size of 65,535 bytes, to perform PoD attack [11] bysending oversized packets The oversized packet will cause victim system hang.This vulnerability has been patched in modern OSs
– Teardrop [11]: The attacker sends a packet to the victim, but this packet has
been fragmented into IP fragments in which the header values are overlapped.The victim’s machine will be crashed while re-assembling those fragments Re-cently, OS and network devices have handled such attacks Therefore, teardropattacks no longer affect any layers of network devices The Figure 2.1 describesmore detail how Teardrop attack works
– TCP SYN flood: TCP is a connection-oriented protocol A TCP session starts
with a three-way handshake First, a legitimate user sends a connection requestwith synchronisation (SYN) message to the server The server then acknowl-edges the SYN message by sending the SYN-ACK message back to the legit-imate user Finally, the legitimate user sends an ACK request to the server to
Trang 26CHAPTER 2 BACKGROUND AND RELATED WORK
Large IP Packet Fragment 1
Fragment 2Fragment 3Fragment 4 Fragment 5 Frag n
Fragment 1 Fragment 2 Fragment 3 Fragment 4
Frag n
Attacker Victim
Figure 2.1: Teardrop attack
establish connection session The Figure 2.2(a) shows step-by-step of three-wayhandshaking process The attacker exploits the three-way handshake to attackvictim by sending a large number of SYN requests but does not send ACK re-quests to complete the process of the three-way handshake The server waits forthe ACK requests to complete those packets, which makes the server unable toprecess legitimate requests The SYN flood attack can be carried out by sendingpackets with a spoofed address The Figure 2.2(b) describes this kind of attack
SYN
Attacker Victim
SYN/ACK SYN
SYN/ACK
SYN
SYN/ACK ACK
Three-way handshake completed
Figure 2.2: SYN Flood attack
• Reflection-based flooding attacks: Instead of attacking the victim directly, the
at-tacker sends spoofed packets to reflectors, and then responses are sent back to thevictim and cause flooding (i.e., Smurf attack, Fraggle attack) In reflection-basedflooding attack, the attacking packets are spoofed Smurf attack [11] is an example
of this kind of attack The attacker sends ICMP echo requests with destination IPaddress is the broadcast address These requests are spoofed such that its source
IP address is the victim’s IP address The router which receives these packets will
Trang 27CHAPTER 2 BACKGROUND AND RELATED WORK
deliver these packets to clients (exploited as a reflector) that belong to the fied broadcast address As a result, the victim will be flooded with responses fromreflectors The Smurf attack applied multiple techniques such as IP spoofing, ampli-fication and reflection The Figure 2.3 shows how Smurf attack works The Smurfattack can be prevented by disabling IP-direct broadcast command in the networkrouters Fraggle attack acts as the same way, but it uses UDP instead of ICMP
speci-Attacker
Victim ICMP echo, src IP = 19.10.a.b, Dst IP = 19.10.255.255
IP Addr: 19.10.a.b
ICMP reply, src IP = 19.10.x.y, Dst IP = 19.10.a.b
Broadcast Domain
Figure 2.3: Smurf attack
• Amplification-based flooding attacks: Attackers exploit services that response a
large message or multiple messages to amplify the traffic towards the victim Thereflection-based and amplification-based flooding attack work in tandem Botnetshave been employed for both of these types of attack A botnet is a group of comput-ers employed and controlled through malware by the attacker Smurf is a good exam-ple of this kind of attack When the attacker sends a spoofed ICMP echo packet withthe destination address is the broadcast address, all hosts that belong to the group ofbroadcast address may reply to the victim The number of response is much largerthan the initial request The factor to indicate how much larger the response compare
to the initial request is called amplification factor
Application-level based attacks
Application-level based attacks exhaust server resource or exploit vulnerabilities of plication protocol and application code The attacker often exploits stateless protocolsfor this kind of attack such as DNS, Network Time Protocol (NTP) DDoS attack appliedreflection technique is also called as Distributed Reflection DoS (DRDoS) The attackeroften performs DDoS attack from a botnet DDoS mitigation is even more challengingbecause botnet is popularly applied to perform an attack
ap-• DNS amplification attack [2]: DNS is a network name service which resolves a
domain name to IP address and vice versa A DNS query message is as small as 64
Trang 28CHAPTER 2 BACKGROUND AND RELATED WORK
bytes, but its response is much bigger The DNS response message may contain formation of inquiry domain, child domain and its services information The attackerexploits this vulnerability to perform DDoS attack The attacker sends DNS queries
in-to DNS servers with option recursive query which requires DNS server in-to return allrelative information of inquiring domain and its child domain These packets arespoofed such that their source IP address is victim address Therefore, the victim isflooded with huge responses from DNS servers DNS amplification DDoS has beenresearched before [12] The largest DNS amplification attack to Spamhaus with am-plification factor up to 200x, reached 300Gbps [12] [13] This kind of attack can bemitigated by disabling recursive query from DNS servers to avoid exploitation
• NTP amplification attack: NTP is a UDP-based protocol that supports time clock
synchronisation NTP server originally supports a monlist command just for toring purpose When receiving a monlist command, NTP server returns up to last
moni-600 client’s IP address that have contacted the NTP server The returned packetssize is up to 206 times larger than the request [14] To perform an attack, the attackersends packets with a monlist command to NTP servers that support monlist com-mand Those packets are forged such that its source IP address is victim’s address
As a result, the victim is flooded with huge packets returned from NTP servers.The largest DDoS attack has been recorded is an NTP amplification attack reached400Gbps in 2014 [5] [14] The way to avoid NTP amplification attack is to denymonlist command from NTP servers on the public network
2.2.2 Dos/DDoS Defence Mechanisms & Classification
DDoS defence mechanisms are countermeasure mechanisms to mitigate DDoS attacks.Based on DDoS attack classification, DDoS defence mechanisms are classified into network-level based and application-level based mechanisms [2] Network-level based defencemechanism is deployed to mitigate DDoS attacks under network layers It is also cat-egorised into source-based, network-based, destination-based and hybrid mechanismsbased on deployment location Application-level based defence mechanism is deployed tomitigate DDoS attacks that exploit the application layer vulnerabilities Detail information
of each mechanism is discussed in the following
Network-based defence mechanism
• Source-based mechanism: These mechanisms are deployed near the source of the
attack to prevent customer network from generating DDoS attack These nisms are deployed at the access router of source’s local network or at the accessrouters of an autonomous system (AS) that connects to the source’s edge routers.Port Ingress/Egress Filtering (PIEF) is proposed by Ferguson [15] to filter spoofed
Trang 29mecha-CHAPTER 2 BACKGROUND AND RELATED WORK
packets The ingress and egress name depends on its deployment position Ingressfiltering method is deployed to filter inbound traffic Spoofed packets are blockedwhen coming through this filter Egress filtering method filters outbound traffic toensure that spoofed or malicious packets will never leave internal network IPSecprotocol can eliminate IP spoofing packets by authenticating source address beforedelivering packets, but this method is not widely used because of high overhead
• Destination-based mechanism: The destination-based mechanisms are deployed
near the victim side to detect and mitigate the DDoS attacks Management tion Base (MIB) [16] provides method to monitor network traffic and routing statis-tic MIB can be used at victim side to detect DDoS attacks Wang et al [17] pro-posed a method named Hop-Count Filtering (HCF) to filter spoofed packets based onthe number of hops that packets traversed before arriving at the victim Each packettravelling on the network has its own initial Time-To-Live (TTL) value When apacket traverses a router (hop), its TTL value will be decreased one before forward-ing to next hop Those packets in which TTL is equal to zero will be dropped, andthe router will send message "TTL Exceeded in Transit" to the source Therefore,packet’s hop count value could not be spoofed Hop-count value is calculated bycomparing initial TTL to final TTL value when it arrives at the destination Whilenot being attacked, IP address and its hop count value will be collected and con-structed in IP-to-Hop-Count (IP2HC) tables When DDoS attack occurs, packets’ IPand hop-count value will be compared to IP2HC If it does match IP2HC table, it is alegitimated packet; otherwise, it is a spoofed packet and will be dropped The paperclaimed that HCF can identify 90% of spoofed packets Ritu et al [18] combinedprobabilistic and round trip time in Distributed Probabilistic HCF-Round trip time(DPHCF-RTT) Packets will be checked once by intermediate DPHCF-RTT routers(nodes), then forwarded to the victim The larger number of intermediate routersimplemented, the higher detection rate of malicious packets is The paper claimedthat detection rate is up to 99.33%
Informa-• Network-based mechanism: These mechanisms are mainly deployed on the routers
of the ASs It detects attack traffic and creates a proper response to stop it at theintermediate network level The detecting and filtering malicious routers [19] is amethod of this mechanism The Watchers [2] detect misbehaving routers exploited
by an attacker that support DDoS attack such as misrouting packets The route-basedpacket filtering method [20] extends PIEF to the routers in the core of the Internet tofilter malicious packets
• Hybrid (Distributed) mechanism: There is no strong mechanism to mitigate DDoS
attack effectively DDoS attack traffic has accurately been detected when it reachesthe destination, but mitigation is not effective at the destination At the source of the
Trang 30CHAPTER 2 BACKGROUND AND RELATED WORK
attack, it is hard to detect DDoS, but it can be prevented completely at this place.The hybrid (distributed) mechanism is researched to corporate other mechanisms tomitigate DDoS effectively Active internet traffic filtering (AITF) [21] is a hybridmechanism that enables a receiver to deny all the traffic by default and only acceptsthe traffic that belongs to the established connection The alternative configurationcould be that receiver accepts all traffic by default and only denies the traffic if it
is identified as malicious or undesirable This method needs the corporation of allinternet service provider (ISP) to receive the request from receiver and filter trafficfrom its source The StopIt [22] is a hybrid mechanism that enables each receiver
to stop the attack from the source Each AS installs a server named StopIt server
to provide service to filtering malicious traffic when receiving requests from hosts
or other StopIt servers When the receiver receives malicious traffic, it will send aStopIt request to the StopIt server locating in the same AS with the traffic source anddestination information This StopIt server will send the StopIt request to the StopItserver of the AS from where the traffic comes Then the StopIt server from source
AS will request the router connecting to the host that generates the traffic to blockthe traffic This mechanism needs the corporation of all ASs on the Internet TheFigure 2.4 shows how the StopIt mechanism works
Figure 2.4: StopIt mechanism
Application-based defence mechanism
• Destination-based (Server side) mechanism: Most of the application-layer
proto-col organised as a client-server model A server is a process which is implemented as
a specific service (e.g., DNS server, Web server, Email server) A client is a processthat requests a service from a server Therefore, most of these mechanisms closelyimplement and observe the server to monitor clients’ behaviours so that they can
Trang 31CHAPTER 2 BACKGROUND AND RELATED WORK
detect and drop or limit the rate of the malicious requests DNS Amplification tacks Detector (DAAD) [23] is an example of this mechanism DAAD is a proactivemechanism to detect potential DNS amplification attacks This mechanism collectsthe DNS requests and replies using IPTraf tool [24] Then, DAAD stores the cap-tured data into MySQL database to classify If a reply does not match any request
At-in a time frame, it is a suspicious packet and a firewall rule is updated to filter theattacker’s IP address
• Hybrid (Distributed) mechanism: This type of mechanism employs collaboration
between client and server to detect and react to the attacks For instance, Kandula
et al propose a system to protect web cluster from application DDoS attacks Thissystem employs Completely Automated Public Turing test to tell Computers andHumans Apart (CAPTCHA) [25] This mechanism differentiates DDoS floodingbots from human by requesting the client to solve a puzzle If the puzzle is solved,the client is a legitimate user Otherwise, the client is suspicious and is filtered
2.3 Field Programmable Gate Array
Field Programmable Gate Array (FPGA) is a semiconductor device that is based around
a matrix of configurable logic blocks (CLBs) connected via programmable interconnects[26] It is an integrated circuit device that can be configured by customer or designer aftermanufacturing Three major components of FPGA include:
• Logic block: It is also known as CLB CLB includes lookup tables (LUTs) to ment combinatorial logic, register for sequential circuits, and additional logics such
imple-as multiplexers Each LUT himple-as multiple inputs to combine multiple parameters
• Input/Output block: These blocks are responsible for connecting and communicatingwith external components or devices
• Interconnection switch: These switches can be programmed to connect or disconnectCLBs, I/O blocks and other components
FPGA may contain other blocks such as memory, clock distribution, digital signal sor (DSP), embedded microprocessors/microcontrollers, high-speed serial transceivers.The Figure 2.5 shows basic components of an FPGA device
proces-FPGA is more flexible than application-specific integrated circuit (ASIC) Both ofthem are programmable While FPGA is programmable after manufacturing by users,ASIC is programmed by experts from a manufacturer and can not be re-programmed aftermanufacturing FPGA not only takes advantage of hardware-based high-speed parallelprocessing but also takes the flexibility of software-based programmability They are
Trang 32CHAPTER 2 BACKGROUND AND RELATED WORK
Legend:
Configurable Logic Block Input/Output Cell Interconnection Resource
Figure 2.5: FPGA device components
designed and programmed using hardware description language (HDL) such as Verilog,very high speed integrated circuit (VHSIC) HDL (VHDL)
An FPGA device is configured by loading an application-specific configuration data,named bitstream, into internal configuration memory Partial reconfiguration (PR) is themodification of an operating FPGA configuration memory by loading a partial config-uration file With the rapid development of technology, FPGAs allow dynamic partialreconfiguration (DPR) It means that some parts of an FPGA device can be reconfigured
at runtime while other parts are still working This runtime reconfiguration helps systems
be updated while still operating The design flow of DPR partitions configuration ory into static logic and reconfigurable logic [27] In DPR process, the static logic remainsfunctioning while the reconfigurable logic is modified by the partial configuration file Inthis research, DPR is applied to change and update DDoS countering mechanism to adaptsecurity challenges in the future
mem-2.4 The NetFPGA Platform
NetFPGA is an open-source hardware and software platform designed for research andteaching [28] It allows researchers, developers and students to build prototypes of high-speed, hardware-accelerated networking systems based on its supported platforms Itsplatforms, which is named NetFPGA platform, are built upon FPGA technology sup-ported by the manufacturer There are several NetFPGA platforms such as NetFPGA 1G,NetFPGA CML, NetFPGA 10G and NetFPGA SUME This research is implemented onNetFPGA 10G
NetFPGA 10G [29] is a NetFPGA platform based on Virtex-5 FPGA chipset supported
Trang 33CHAPTER 2 BACKGROUND AND RELATED WORK
by Xilinx NetFPGA 10G is a x8 generation 2 PCI-Express board with 4 ports 10GbpsSFP+ interface It is bundled with a Virtex-5 TX240T FPGA The Table 2.2 shows detailspecification of NetFPGA 10G board
Table 2.2: The NetFPGA 10G specification
Maximum Distributed RAM (Kbits) 2,400
Block RAM/FIFO v/ECC (36Kbits each) 324
Total Block RAM (Kbits) 11,664
Digital Clock Managers (DCM) 12
Phase Locked Loop (PPL)/PMCD 6
Maximum Single-Ended Pins 680
Maximum Differential I/O Pairs 340
PCI Express Endpoint Blocks 1
10/100/1000 Ethernet MAC Blocks 4
RocketIOTMGTX High-Speed Transceivers 48
Configuration Memory (MBits) 65.8
2.5 Summary
Chapter 2 presents the background which is the base knowledge for conducting the search It discusses TCP/IP and OSI network model A comparison chart shows thedifference between two models The related work section discusses existing DDoS re-searches DDoS attack and defence mechanisms and classification are also presented.FPGA and the NetFPGA 10G platform are briefly introduced They are the base platformfor proposing the architecture in next chapter
Trang 34re-Chapter 3
Proposed System Architecture
This chapter presents the proposed FPGA-based multicore architecture to integrate tiple DDoS countermeasure mechanisms Beside input and output port, the system hasbeen partitioned into Static and Dynamic partition The static region implements basecomponents of the system The dynamic region contains multiple DDoS defence coresand Defence Decision The Figure 3.1 shows the proposed architecture
Output n
Defense Core 2Defense Core n
Figure 3.1: The proposed FPGA-based multicore architecture
3.1 Static Partition
The Static Partition accommodates basic modules that are fixed at design time The ules in this partition are mainly responsible for decoding incoming packets and processingthose packets based on decisions from DDoS countering modules It also accommodatesUpdate Controller and Dispatch Interface that support reconfiguring defence cores whileoperating
Trang 35mod-CHAPTER 3 PROPOSED SYSTEM ARCHITECTURE
3.1.1 Input Arbiter
This Input Arbiter module delivers raw packets from multiple input ports to Packet coder This module transfer packets coming in parallel into sequence This way helps thePacket Decoder to process all packets in serial There is an input queue to store the chain
De-of packets before coming to the Packet Decoder There are several strategies to deliverpackets to the input queue such as round robin, busy-port priority The round robin is
a simple way to organise packets from input ports to the input queue The round robinstrategy picks one packet in each port at a time then rotates next pick on another port.The busy-port priority allows the busiest port to be served first If the port is busy, it isprioritised in picking the next packet The busy port can be identified by analysing theprevious port statistic The port statistics value can be used to analyse priority are packetper second or megabit per second The busy-port priority seems to be harder than roundrobin in implementation
3.1.2 Output Arbiter
The Output Arbiter module is responsible for sending the packet out to the network Thismodule receives a packet and decides the destination to where the packet is forwarded.The Output Arbiter picks the packet in the Packet FIFO one by one to check and de-liver it to the right destination port Depends on the implementation, this module can beconsidered as a routing module
3.1.3 Packet Decoder
This module decodes and extracts incoming packets into header and payload fields Theheader is then sent to defence cores that implement DDoS defence mechanisms located inthe dynamic partition The number of header fields needs to be extracted depending on theimplemented defence core General header fields include source IP address, destination
IP address, source port, destination port and TTL value For those defence cores thatrequire more fields from the packet header, the feature extraction can be implemented inthe Packet Decoder module Some abnormally based DDoS defence mechanisms need
to calculate packet statistic which can also be integrated into Packet Decoder The rawincoming packets are then forwarded to and stored in the Packet FIFO module whilewaiting for classifying results from DDoS defence mechanisms
Trang 36CHAPTER 3 PROPOSED SYSTEM ARCHITECTURE
processing cores There are two approaches to process packets The first approach, thepacket is decoded into separate fields (header and payload) Those fields are then sent todefence cores for classifying If the packet is malicious, its separated fields are discarded
If the packet is legitimate, the packet separated fields are encapsulated and sent out to thenetwork This approach causes a heavy load on the system because it needs to manageand store multiple pieces of the packet and invests more resource to pack them Moreover,when encapsulating a packet, the packet checksum need to be calculated, and this processalso takes time The Figure 3.2 shows how the first approach works
Filtering core
Packet Decoder
Unpack Transport layer header
Unpack Network layer header
Unpack Data Link layer header
Packet out Packet Encoder
Figure 3.2: The first approach for processing packet
In this work, the Packet FIFO is chosen to store the incoming packets The size ofthis FIFO depends on system performance (throughput) as well as network speed Thehigher performance the system can process, the smaller the size of this FIFO is required.Therefore, the size of this FIFO will vary from system implementation to system imple-mentation In other words, this FIFO can be implemented by on-chip memory or off-chipmemory based on its size Although the module is fixed at design time, It can not be con-sidered as a module of the static partition (as depicted in Figure 3.1) because this modulecan be implemented in on-chip memory
3.1.5 Packet Processing
The Packet Processing module receives decisions from the Defense Decision module cated in the dynamic partition The decisions are either bypass to allow the correspondingpacket to be bypassed to output ports or drop to alert that the corresponding packet be-longs to a DDoS attack Based on these decisions, the Packet Processing module sendsthe corresponding packet from the Packet FIFO module to the destination output port ifthe packet is legitimate Otherwise, the packet is deleted from Packet FIFO
Trang 37lo-CHAPTER 3 PROPOSED SYSTEM ARCHITECTURE
3.1.6 Dispatch Interface
As stated above, one of the primary goals of this proposed architecture is the runtimereconfiguration of DDoS defence processing cores In order words, Defense Cores imple-menting DDoS defence mechanisms can be updated or changed at runtime to adapt DDoSattacks quickly While a Defense Core is being updated or replaced, others can keep work-ing without any interfering To support this goal, the Dispatch Interface is responsible forcommunication between the host processor and the DDoS protection system When De-fense Cores are soft general purpose processors (GPPs), the host processor can configurethe cores by sending new instruction caches through this interface Otherwise, dynamicpartial reconfiguration bitstream is sent from the host processor to modify Defense Cores
if these cores are dedicated hardware processing cores
3.1.7 Updating Controller
The main purpose of this module is to control the process updating or changing DefenseCores When receiving an updating request from the host, this module disables the de-fence core before allowing configuration code to be updated However, the UpdatingController module will vary from implementation to implementation If the system exe-cutes DDoS defence mechanisms by soft GPPs, Updating Controller just needs to selectthe right instruction cache to update it by a new instruction cache However, UpdatingController should include different modules that support the dynamic partial reconfigura-tion technique in cases of dedicated hardware processing cores are used to execute DDoSdefence mechanisms These supporting modules depend on FPGA families Therefore,
we only describe the Updating Controller module in the proposed architecture
3.2 Dynamic Partition
Attackers usually deploy DDoS attacks by using different attack methods Therefore,one of the requirements towards building a comprehensive DDoS defence system is tocombine multiple DDoS defence mechanisms Moreover, these mechanisms should beupdated or changed at runtime Therefore, the dynamic partition includes different DDoSDefense Cores, each of them implements one different DDoS countermeasure technique.When at least one Defense Core recognises a packet as an attacking packet, the systemshould remove the packet
3.2.1 Defence Core
Defence Cores are mainly responsible for scanning incoming packets to classify thesepackets as legitimate packets or DDoS attacking packets Different DDoS filtering tech-
Trang 38CHAPTER 3 PROPOSED SYSTEM ARCHITECTURE
niques require different data input such as header fields or payload fields These fieldsare supplied by the Packer Decoder module Defence Cores can be implemented by softGPPs (such as MicroBlaze [30] or NIOS [31] processors) or dedicated custom hardwareprocessing cores or both However, in all cases, Defense Cores can be updated or changed
at both runtime and design time The update process when Defense Cores are soft GPPsjust requires new instruction caches of GPPs changed Meanwhile, we need to use thedynamic partial reconfiguration technique for FPGA devices if Defense Cores are spe-cialised hardware cores Compared to the GPP approach, dedicated hardware DefenceCores achieve better performance due to parallelism
3.2.2 Defence Decision
DDoS attacking packets can be deployed on different methods One defence mechanismcan only detect one type of DDoS attack Therefore, if a packet is classified as an attackingpacket by one DDoS filtering technique, we do not need to wait for decisions of othertechniques in multiple filtering mechanisms DDoS protection system The main duty ofthe Defense Decision module is to monitor classified information from Defense Cores
to determine whether a packet is legitimate or belongs to a DDoS attack If there existsone Defense Core recognising a packet as an attacking packet, Defense Decision rightaway sends a drop signal to the Packet Processing module accommodated in the staticpartition Consequently, Defense Decision resets all Defense Cores to start processingthe next packet since we do not need to wait until all Defense Cores finish their scanningprocess In contrast, if all Defense Cores vote for a packet as a legitimate packet, DefenseDecision sends a bypass signal to the Packet Processing module
3.3 Summary
Chapter 3 presents the proposed multicore architecture which separates dynamic partitionout of static partition to achieve dynamic partial reconfiguration The proposed multicorearchitecture is feasible The design uses hardware-based high-performance processingand programmability from reconfigurable hardware such as FPGA to achieve the objec-tive It is not so easy to implement but not so complicate On the next chapter, it presents
an instance of the proposed architecture on a particular FPGA platform, a NetFPGA 10Gboard It is the prototype system to be experimented
Trang 39Chapter 4
System Implementation
This section presents the first prototype version implementing the proposed FPGA-basedmulticore architecture to integrate two well-known DDoS defence techniques HCF andPIEF The NetFPGA-10G board containing a Xilinx XC5VTX240T device is used as anexperimental platform The board consists of four SFP+ ports (NIC Rx and NIC Tx) thatare suitable to build a high-speed network processing system The Figure 4.1 shows theNetFPGA 10G development platform Two Defence Cores implementing HCF and PIEFtechniques are developed as dedicated hardware processing cores Therefore, we apply thedynamic partial reconfiguration technique to update and modify Defense Cores as statedabove In this section, we mainly highlight the two DDoS filtering techniques, UpdatingController (DPR) module used to control the dynamic partial reconfiguration process, andDispatch Interface (ICAP) to receive dynamic partial reconfiguration bitstream from thehost processor These modules are implemented using Verilog-HDL as described above.Figure 4.2 depicts our prototype system based on the proposed architecture
Figure 4.1: The NetFPGA 10G platform
Trang 40CHAPTER 4 SYSTEM IMPLEMENTATION
In-4.1.1 Input Arbiter
The Input Arbiter module delivers raw packets from multiple input ports to Packet coder This module transfer packets coming in parallel into sequence This way helps thePacket Decoder to process all packets in serial There is an input queue to store the chain
De-of packets before coming to the Packet Decoder In this prototype system, round robinstrategy is implemented in the Input Arbiter
4.1.2 Output Arbiter
The Output Arbiter module is responsible for sending the packet out to the network Thismodule receives a packet and decides the destination to where the packet is forwarded.The Output Arbiter picks the packet in the Packet FIFO one by one to check and deliver it
to the right destination port In this prototype system, the Output Arbiter module supportsmanual configuration to route packets between ports
4.1.3 Packet Decoder modules
The Packet Decoder module receives an incoming packet from the NIC Rx inputs ofthe SFP+ ports The Packet Decoder decodes and extracts the header of the incomingpacket according to layer 2 to layer 4 in the OSI network model Then, the header issent to defence cores in the Dynamic Partition for classifying The raw packet is stored
in the Packet FIFO while waiting for classifying results from the defence cores The